Hackers don’t need complicated codes and tactics to break into computer systems — all they need is a USB drive.

A study by researchers at the University of Illinois found that nearly half of people who find a USB drive will plug it into a computer and open the files, typically out of curiosity or in hopes of finding the owner.

But security experts say just plugging in a USB drive can allow hackers to attack you. Cybercriminals could compromise not just that computer, but an entire system, including data saved to the cloud.

"This is clearly an effective way to compromise a system," said Michael Bailey, an associate professor of electrical and computer engineering at the University of Illinois at Urbana-Champaign. "Why go through cryptology or some other complicated way of compromising a system when you can clearly just get a user to click on something?"

Bailey and his colleagues teamed up with Google and the University of Michigan to conduct the study, which will be released at a conference in May. They dropped nearly 300 USB sticks throughout UIUC’s campus and measured how many people picked them up.

Ninety-eight percent of the drives were moved, and at least 45 percent were connected to computers. Someone plugged a drive in only six minutes after researchers dropped it.

The drives had different labels — some unmarked, some attached to house keys; others labeled "confidential" or "final exam solutions." They loaded the drives with files consistent to the label, such as "sp15/examA.pdf" and "Pictures/Winter Break/*.jpg".

The files actually contained a tag for an image on a centrally controlled server that let researchers know when a file was opened on an Internet-connected computer.

Once people double clicked on a file, a notification told them they were part of a study and asked them to take a survey. Many participants said they plugged the drive in hoping to return it to its owner.

Some of that checked out, Bailey said. On some drives, researchers put an "If found, please return to" label with an email address they created. Finders were significantly less likely to click on a file in those cases, Bailey said.

They also put a resume file on some of the drives. The majority of people clicked on that file, Bailey said, indicating they were looking for return info.

Nearly 1 in 5 respondents said they simply opened the drive because they were curious, but Bailey has a hunch that number should be higher.

"It’s pretty obvious that in a student population of 35,000, you’re not going to find the owner of a USB drive by looking at spring break pictures," he said.

The people plugging in the drives were not computer-illiterate or naive, Bailey said. These were people with experience. Demographics didn’t affect plug-in rates either, he said.

"We still have a fairly large gulf between the technology we used to secure our systems and how people choose to use the systems," he said. There needs to "be both a human and a technical solution."

"I don’t think most people realize that the USB interface that you plug into these specific devices, they can emulate anything," he said.

Social engineering tactics, such as this USB method or emailed phishing attacks, are the most common forms of cyberattacks, and can give criminals nearly unfettered access.

"Any data your computer contains or any of the accounts your computer has access to could all be compromised," he said. "In a corporate setting, it could be the entire company."

Karl Sigler is threat intelligence manager at Chicago-based cybersecurity company Trustwave. One of his teams stages cyberattacks on clients to test their vulnerability. Sigler said the team tests the USB attack frequently — they drop USBs in the parking lot, the bathroom, the lobby — and it’s almost guaranteed that someone will plug them in.

People need to be more aware of the dangers of plugging foreign electronics into computers, he said. But it’s hard to rewire human nature.

"It’s a difficult thing," he said. "Your natural instinct is to be a good Samaritan and try to get that property back, and that’s what criminals are capitalizing on — that trust."